Transcript Imperva

Imperva
Total Application Security
Idan Soen, CISSP
Security Engineer
SecureSphere – The First Dynamic Profiling Firewall
Agenda
• Imperva
• Application Security Landscape
• SecureSphere
2
Imperva Confidential
Imperva
• Company Focus: Total Application Security
• Founded in 2000 by world’s elite application
security specialists
– Israeli Defense Force cyber warfare team
– Private sector penetration testing & app security
consultants
• Co-Founder, CEO – Shlomo Kramer
– Check Point co-founder
– Co-developer of Stateful Inspection
• SecureSphere Product Family
– First “Dynamic Profiling Firewall”
3
Imperva Confidential
Data Center Security
Need to Secure the Data Center
Data Center Assets have Never
Been More Critical…
…or More Vulnerable
92% Vulnerable to*
–
–
–
–
–
–
Data Center & DMZ
Users
Identity theft
Data theft
Worms
Denial of Service
SQL Injection
Parameter tampering
Critical Servers,
Proprietary Information
And Custom Business
Applications
Business Implications of Attack
–
–
–
Lost revenue
Brand erosion
Regulatory compliance
•
SOX, GLBA, HIPAA, CA SB-1386, CISP, etc
*Source: Imperva Application Defense Center
4
Imperva Confidential
Application Threats
A multi-dimensional problem
• Web Application and
Web Services attacks
Internal Users
Data Center &
DMZ
Critical Servers,
Proprietary
Information
And Custom
Business Applications
– External SQL injection
– Attacks custom business
applications
• Database breach
– Internal direct breach
– Attacks proprietary
information
– Using legitimate access for
illegitimate purposes
• Worm infection
– External and internal
sources of infection
– Attacks critical servers
– Known vulnerabilities and
“zero day” web worm
5
Imperva Confidential
Web
Database
Worm
SQL injection
Cookie poison
etc.
Data theft
Data corruption
etc.
Code Red
Nimda
etc.
Data Center Security
Different Problem, Different Solution
Corporate Network
Assets
• Desktop Computers
• Microsoft Apps
• Personal Files
• Proprietary Information
• Custom Business Apps
• Critical Servers
Threats
•
•
•
•
•
•
•
•
•
•
•
Cost
• Lost Productivity
Client Worms
Spyware
Viruses
Data Leakage
Solutions • IPS, Anti-Virus, and
Personal Firewalls
6
Data Center
Imperva Confidential
Identity Theft
Data Theft
Phishing
Malicious Robots
Server Worms
Denial of Service
SQL Injection
• Brand, Revenue, and
Regulatory Compliance
• ????
Securing the Data Center
A New Type of Firewall is Needed
• Data Center Application Security not Addressed by
Network Firewall or IPS Technology
– SQL Injection, Phishing, Identity theft, Data theft, Worms, Denial of
Service, Malicious Robots, etc.
• SecureSphere – Data Center Firewall
•
Protect critical servers, proprietary information and custom business
applications
Application
Logic
Application
Layer
Data Center
Firewall
Application and
Database Usage
(New Layer 8+)
Departmental
Firewall
Protocol Usage
(OSI Layer 4 – 7)
Perimeter
Firewall
Network
Layer
7
Network Access
(OSI Layer 1 – 3)
Imperva Confidential
Network
Firewall
Intrusion
Prevention
Systems (IPS)
and
Deep Inspection
Firewall
Imperva
SecureSphere
Dynamic Profiling
Firewall
Securing the Data Center
Point Solutions Problematic
• Fragmented Protection
–
–
–
–
Deep Inspection Firewall
Application Firewall
Database Firewall
XML Firewall
DMZ
Web Servers, App Servers,
Databases
Internal Users
• Static Policy & Rules
– Requires constant
manual tuning
• Fragmented Management
– Set policy on each device
– Fragmented logging,
forensics, monitoring
– No integrated reporting
• No Cooperation Between Layers
• Poor Performance and Scalability
8
Imperva Confidential
Data Center
Web Servers
App. Servers, Databases
XML Firewall
Database Firewall
App Firewall
DI Firewall
Securing the Data Center
Breaking the Barrier
Application Logic
and Databases
Application Profile
Millions of dynamic items
New layer(s)! 8+

• Much more
information needed
for security decisions
– Web App elements
Automatically Built
Automatically Tuned
• URLs, Cookies,
Parameters, Users,
Sessions, etc.
Application Layer
– Web Services elements
(OSI layers 4-7)
Dynamic Profiling Firewall
• XML URLs, SOAP
actions, XML elements,
etc.
– Database elements
Network Layer
(OSI layers 1 – 3)
• SQL Queries, SQL
Tables, Users, etc.
• Too complex for
manual intervention
A Dynamic Profiling Firewall must build and tune the security profile
without human intervention
9
Imperva Confidential
SecureSphere Dynamic Profiling Firewall
Data Center Ready Security
• Unified Protection
– Web, database and worm attacks
– Internal and external attackers
– Layers 1-7 and 8+
Data Center
Web Servers
App. Servers, Databases
Internal Users
DMZ
• Dynamic Profiling
– Automatically models application
structure and dynamics
•
•
•
Web Application: URLs, cookies, users,
parameters, sessions, etc.
Web Services: XML URLs, SOAP actions,
XML elements, etc.
Database: SQL queries, SQL tables,
parameters, users, etc.
Web Servers
App Servers, Databases
SecureSphere
G4 Gateways
– No on-going manual tuning
• Adapts when application changes
• Centralized Management
• Enforcement & Auditing Across Layers
• High Performance and Highly Scalable
10
Imperva Confidential
SecureSphere MX
Management Server
Security Coverage
SecureSphere Secures the Data Center
Application Data Center
Infrastructure
SecureSphere Protects Against
• Web Application Attack
Web
Application
& Web
Service
(Custom to
Package)
11
– Both Interface and Logic
Application
Logic
Application
Databases
(Custom to
Package)
(Custom to
Package)
• Web Services Attack
– SOAP/XML interfaces
• Database Breach
Web
Server
Application
Server
Database
Servers
Operating
System
Operating
System
Operating
System
Network
Stack
Network
Stack
Network
Stack
Imperva Confidential
– Direct Database Attacks
– Via Web Application
– Via Web Services
• Worm/Platform Attack
– Network Stack
– Operating Systems
– Infrastructure Server Software
Security Coverage
SecureSphere – IPS
Application Data Center
Infrastructure
Web
Application
& Web
Service
Application
Logic
Application
Databases
(Custom to
Package)
(Custom to
Package)
Web
Server
Application
Server
Database
Servers
Operating
System
Operating
System
Operating
System
Network
Stack
Network
Stack
Network
Stack
(Custom to
Package)
12
Imperva Confidential
•
Protects Critical Data Center Servers
– Operating System Platform
• agnostic of vendor / version
– Server Software
– Network Access
– Network Protocols
•
Attacks Prevented
– Server Worms
– Unauthorized Access
– Protocol Attacks
•
Defenses
– User and protocol access control
– Protocol Validation and Usage
– Full Snort®-compatible signature
protection
– Imperva’s Advanced ADC defenses
– Web Worm Profiling
Security Coverage
SecureSphere - Web App Firewall
Application Data Center
Infrastructure
•
Dynamic Profiling Protects
“Traditional” Web App Elements
– Application Logic
Web
Application
& Web
Service
(Custom to
Package)
Application
Logic
Application
Databases
(Custom to
Package)
(Custom to
Package)
Web
Server
Application
Server
Database
Servers
Operating
System
Operating
System
Operating
System
Network
Stack
Network
Stack
Network
Stack
• Form fields, cookies, URLs,
Parameters
– Agnostic Web / App Server Software
• Apache, IIS, etc.
•
•
13
Imperva Confidential
Example Attacks Prevented
–
–
–
–
–
–
–
–
–
–
–
Cross-site scripting
SQL Injection
Command Injection
Illegal encoding
Buffer Overflows
Cookie Poisoning
Parameter Tampering
Form Field Tampering
Malicious Scanning / Robots
Phishing
Denial of Service
Integrated IPS Protects the OS and
the Network (point solutions don’t)
Security Coverage
SecureSphere - XML Firewall
Application Data Center
Infrastructure
•
Dynamic Profiling Protects Web
Services Elements
– Application / Web Servers
Web
Application
& Web
Service
(Custom to
Package)
• Agnostic to vendor brands
Application
Logic
Application
Databases
(Custom to
Package)
(Custom to
Package)
– Web Services Protocols and
Standards
• XML, SOAP, WSDL
•
Web
Server
Application
Server
Database
Servers
Operating
System
Operating
System
Operating
System
Network
Stack
Network
Stack
Network
Stack
–
–
–
–
–
–
–
•
14
Imperva Confidential
Attacks Prevented
“Element Tampering”
“Structure Tampering”
SQL Injection
Command Injection
Illegal encoding
Cross Site Scripting
Buffer Overflow
Integrated IPS Protects the OS and
the Network (point solutions don’t)
Deployment
Performance and Scalability
• High Performance
– Up to 1 Gbps throughput
– Sub millisecond latency
– Up to 8,000 transaction/second
• Scalability
– G4: Entry for small to medium
segments
– G8: Performance for larger
segments
– MX: Centralized management
for multi-gateway environments
15
Imperva Confidential
G8 Gateway Appliance
Throughput
Requests Per Second
Form Factor
1000 Mbps
8000
1U
Max Sniffing Interfaces
3
Max Inline Segments
1
G4 Gateway Appliance
Throughput
Requests Per Second
Form Factor
500 Mbps
4000
1U
Max Sniffing Interfaces
3
Max Inline Segments
1
Operations
Centralized Management
• Centralized Management Services
– Manages all devices from a single console
– Application level profiles and policy
Browser
Interface
– Integrated logging and forensics
– User specific alerts and monitoring
– Integrated compliance reporting
MX Management
Server
• Scalable for Large Deployments
– Three-tier architecture
– Browser-based interface
– Role-based administration
– Easy appliance deployment
• Appliances auto-configured by mgt server
16
Imperva Confidential
SecureSphere Gateway
Appliances
Summary
Securing the Data Center
• Businesses Vulnerable to New Data Center Threats
– Identity theft, data theft, SQL injection, worms, and DoS
– Risking brand, revenue, and regulatory compliance
• IPS and Network Firewalls are Not Enough
– Do not protect proprietary information and custom business applications
• SecureSphere - Data Center Ready Protection
– Security
• Protects proprietary information, custom applications, and critical servers
• Blocks even the most sophisticated attacks
– Deployment
• No change to existing applications and infrastructure
• Flexible networking and high availability
• Performance and scalability
– Operations
• No manual tuning
• Centralized management
 Low TCO and High ROI
17
Imperva Confidential
Thank You
Imperva Inc.
950 Tower Lane, Suite 1710
Foster City, CA 94404
Sales: (866) 926-4678
www.imperva.com
18
Imperva Confidential
Web App
X2
Test Env
Web App
X1
Real Life
Env
MX Management
Gateway
Gateway
G1
OOB
Database
Y1
19
Imperva Confidential
G2
OOB
Database
Y2